Posts Tagged PCI-DSS

As thousands of harried spouses and romantically entangled Americans scramble to find the right Valentine’s Day gifts this week, many are pulling out the credit cards and ordering online or over the phone or waiting in line to swipe their debit cards at the florist or candy store. That’s a lot of personal data zooming through cyberspace, which can make the perfect gift for hackers.

One of the compliance regulations that controls how merchants and others handle credit card data is PCI DSS, established to prevent, detect and react to unauthorized access to personal payment information. The standards are strict and penalties can be stiff.

The challenge comes when retailers, overwhelmed with busy shopping seasons and lines of customers, have so many things to manage that their vigilance protecting customer data can lose priority. And yet, it just takes one misstep to open the doors to a data breach.

That’s why it’s critical that retailers and other organizations who handle credit card information regularly assess their data protection policies and processes, and implement effective encryption and data transfer tools that can automate the process of keeping data secure so they can focus on keeping their customers happy.

Check out this story in today’s Omaha World Herald about the challenges businesses of all sizes face when trying to avoid a costly data breach. And for more information about how Linoma Software can help keep your data safe at rest and in motion, email Solutions@LinomaSoftware.com.

If you’re doing business and collecting payments via credit card, debit card, or other e-commerce options that allow you to store and/or transmit cardholder data, you are subject to PCI DSS compliance regulations.

In an attempt to reduce credit card fraud, the Payment Card Industry Security Standards Council developed an information security standard for those with access to consumers’ transactions and card numbers. This standard continues to evolve, and is now labeled PCI DSS 2.0. While the compliance verification process isn’t formal for all organizations, they all must meet the standard to manage liability in case of credit card fraud.

Of course, the real reason we must now pay so much attention to compliance is others’ irresponsible abuse. Somewhere along the data strewn path, a few malicious malcontents had to succumb to the voice of greed and abuse their technological skill sets. All IT professionals’ jobs are tougher thanks to those that through hacking, sniffing, or lifting data sources chose to steal and sell inadequately secured information.

The truth is, though, that “data” really is sensitive information and we live in a paranoid modern world where dastardly damage is done with a just a little twist of the facts. So in response to the cries of outrage among our citizens, politicians have wrung their bureaucratic hands and offered plenty of passing legislation designed to protect our data.

Because IT is responsible for the company’s data, we need to stay abreast of the laws that apply to it. We also need to to fully understand and implement the three types of data protection: physical, transitional, and procedural.

Physical

Physical protection is probably the easiest. We secure the data on our servers, backup tapes and offsite facilities with technologies such as passwords, drive encryption, backup encryption, data center surveillance, physical locks, etc. We spare no expense in securing the physical because we can see it and believe it is secured. Or so we think.

Transitional

Transitional protection is a little more difficult. Any data files that leave our networks should be secured with managed FTP solutions that encrypt the files with SFTP, FTPS, HTTPS, PGP, and other protocols. Firewalls are set up to control what can leave or enter our data domain. DMZ gateways are set up to increase the virtual protection of the data and still allow designated users access to it.

Procedural

Procedural security is a type of data protection that is least understood and implemented. A clear and understandable security policy needs to be communicated to the end users so they become familiar with sensitive data is secured, and what consequences may loom if procedures aren’t followed.

The majority of us in IT are protective about who has access to our own sensitive data, so we can understand the reason for protecting everyone else, too. Yes, it’s a lot of work, but it’s part of the new normal.

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

When GoAnywhere Gateway is implemented, trading partners can exchange files with your organization without gaining access to your private network because no inbound ports will need to be opened to complete the exchange. This feature is especially important to auditors evaluating compliance with regulations such as PCI DSS, HIPAA, and SOX.

Highly sensitive data is frequently exchanged between organizations. For instance, a business will routinely transmit financial information to their bank including payroll direct deposits and ACH payments. These transactions most likely contain sensitive elements like bank account numbers, routing numbers, social security numbers and payment information.

Industry-specific transactions may also contain highly sensitive data. For example, in the health care business, patient records are regularly exchanged between hospitals, doctors and payment providers. In the insurance business, policy information is often transmitted between carriers. This information may contain names, addresses, birth dates, social security numbers and other private information.

Loss of sensitive data can result in great financial expense, lawsuits and public embarrassment for the affected organization. Therefore it is no surprise that industries are setting new regulations and standards to address the security of their data. For instance:

PCI DSS requires that credit card numbers are encrypted while “at rest” and “in motion”. Failure to do so can result in severe fines and potential loss of your merchant account.

HIPAA requires that healthcare records are secured to protect the privacy of patients.

State privacy laws require that customers are notified if their personal information may have been lost or stolen. Some states will also assess large fines against organizations if this data is not protected properly.

Organizations should consider compliance requirements and regulations when looking for a Managed File Transfer solution. An effective solution should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, who the sender and receiver is, and so on. If you are looking for a comprehensive solution be sure to check out our GoAnywhere Managed File Transfer Suite.

Bob Luebbe has worked in the IT field since 1985. During his career, he has worked in a wide variety of roles including software development, project management, consulting and architecting large-scale applications. Bob has been with Linoma Software since 1994 and is currently serving its Chief Architect. His main focus for the last several years has been developing technologies to help organizations to automate and secure their file transfers, as well as to protect data at rest through encryption and key management.